A critical security vulnerability that exposed the data of more than 60 Million customers to anyone who has an account to USPS.com was finally patched this last week.
The vulnerability is connected to an authentication weakness in an application programming interface ( An API ) for the USPS as part of their ‘Informed Visibility’ program which was created and intended for business customers to track their packages in real-time.
An undisclosed cybersecurity researcher has provided a proof of concept connected to the API. This program is coded to accept any number of ‘wildcard’ search parameters which when entered properly, would display account details belonging to any customer.
What this means is that a hacker could have access to email addresses, user accounts, ID’s, account numbers, mailing addresses, usernames, phone numbers or mailing campaigns from 60 million USPS customers.
This was not only data gathering but this vulnerability also made it possible for the attackers to make modifications to other users accounts including email addresses, phone numbers, etc.
“To avoid similar flaws, government agencies and companies must be proactive, not just reactive, in regards to application security. Every business that handles consumer data needs to make security a consistent, top-of-mind concern with an obligation to perform the strictest security tests against vulnerable avenues: APIs, network connections, mobile apps, websites, and databases. Organizations that rely on digital platforms need to educate and empower developers to code using security best practices throughout the entire software lifecycle (SLC), with proper security training and certifications.” Setu Kulkarni, VP of strategy and business development at WhiteHat Security stated.
This problem could have been prevented
One of the most problematic points being made about this issue is that the USPS had been notified via responsible disclosure – last year. This disclosure was not acted upon until last week – leaving the data of 60 million users available to exploit.
The unnamed researcher who originally discovered and disclosed this vulnerability ended up going to a reporter who contacted USPS on behalf of the researcher – just 48 hours later the Postal Service addressed the issue and produced a press release.
“While we’re not sure whether anyone actually took advantage of the vulnerability, it did reportedly exist for a whole year, so we should assume the worst,” Paul Bischoff
USPS’s official release states:
“We currently have no information that this vulnerability was leveraged to exploit customer records.”
“Out of an abundance of caution, the Postal Service is further investigating to ensure that anyone who may have sought to access our systems inappropriately is pursued to the fullest extent of the law.”
What Do I Do Now?
While the likely-hood of account exploit was low – Your Digital Mind recommends you doing the standard ‘I May Have Been Breached” process. This includes changing your passwords, going through your account settings and data with a fine tooth comb and reconfirming any devices that your account may be associated with. We understand that this may be time consuming but in situations such as these, following the proper procedure reduces the chances of potential malice.
If you have questions or would like more information please contact us at [email protected]